CN115146318A - Virtual disk safe storage method - Google Patents

Virtual disk safe storage method Download PDF

Info

Publication number
CN115146318A
CN115146318A CN202211068135.2A CN202211068135A CN115146318A CN 115146318 A CN115146318 A CN 115146318A CN 202211068135 A CN202211068135 A CN 202211068135A CN 115146318 A CN115146318 A CN 115146318A
Authority
CN
China
Prior art keywords
virtual disk
file
qcow2
mirror image
virtual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211068135.2A
Other languages
Chinese (zh)
Other versions
CN115146318B (en
Inventor
王宇锋
谢明
孙立明
张铎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kirin Software Co Ltd
Original Assignee
Kirin Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kirin Software Co Ltd filed Critical Kirin Software Co Ltd
Priority to CN202211068135.2A priority Critical patent/CN115146318B/en
Publication of CN115146318A publication Critical patent/CN115146318A/en
Application granted granted Critical
Publication of CN115146318B publication Critical patent/CN115146318B/en
Priority to PCT/CN2022/137630 priority patent/WO2024045407A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/064Management of blocks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0643Management of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0644Management of space entities, e.g. partitions, extents, pools
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0662Virtualisation aspects
    • G06F3/0664Virtualisation aspects at device level, e.g. emulation of a storage device or system

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a virtual disk safe storage method, which comprises the following steps: creating a group of partitioned virtual disk files by using a qemu-img tool, wherein the partitioned information of the virtual disk files is written into a file header of a mirror image of a first virtual disk file; starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files; opening a qcow2 virtual disk at qemu, and establishing block meta information through block information; and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests. The invention stores the data in different virtual disk files, and can not recover the content of the complete mirror image under the condition that a part of the mirror image is stolen, thereby ensuring the safety of the data in the virtual disk mirror image.

Description

Virtual disk safe storage method
Technical Field
The invention relates to the technical field of information security, in particular to a virtual disk secure storage method.
Background
In the cloud computing era, processing and storage of mass data are not required, a safe disk image storage method is often required for storage of the mass data, and once a problem occurs in disk image, data security of a cloud computing center is seriously influenced. In order to improve the data security of the disk mirror image of the mass virtual machine, encryption is often required during data storage, and decryption is often required during use.
In principle, the problems to be solved by secure storage are two:
1. how to ensure the completeness, reliability and no secret leakage of file data.
2. How to ensure that only legitimate users can access the relevant files.
To solve the two problems, data encryption and authentication authorization management technology are required, which is also the core technology of secure storage. In the secure storage, the file is changed into a scrambled code (encrypted) by using a technical means and is restored (decrypted) by using the same or different means when the file is used. Therefore, the file is stored and used in a ciphertext state and a plaintext state. Not only ensures the safety, but also can be conveniently used. The encryption includes two elements: algorithms and keys techniques for encrypting data fall into two categories, namely symmetric encryption (private key encryption) and asymmetric encryption (public key encryption). Symmetric Encryption is typified by the Data Encryption Standard (DES) algorithm, and asymmetric Encryption is typically typified by the RSA (Rivest Shamir Ad1 eman) algorithm. Symmetric encryption has the same encryption key and decryption key, while asymmetric encryption has different encryption key and decryption key, the encryption key can be public and the decryption key needs to be secret.
Generally, an asymmetric key is mainly used for identity authentication, or to protect a symmetric key. And the daily data encryption generally uses a symmetric key.
Modern mature encryption and decryption algorithms have reliable encryption strength and are difficult to break forcibly unless the correct key can be held. When the safe storage product is actually deployed, if higher-strength identity authentication is required, the U-key can be used, and the authentication equipment is widely applied to online banking.
By adopting encryption and identity authentication technology, the storage has reliable guarantee.
The encryption method used as the most common virtual machine image storage is as follows: processing is done where the block device reads and writes the function. The data is encrypted in write, decrypted in read, the key can be dynamically transmitted or stored in a key fob, and the specific encryption algorithm can be selected according to the use scene.
The secure storage is also storage in nature, and can be used as a remote distributed storage center for files and data. Compared with the common storage, the distributed storage is safer and more reliable, and can be competent for the fields needing confidentiality. If the data is placed in one place, all the data can be obtained by cracking once, and if the data is placed in different places, the complete data can be completely recovered only by cracking a plurality of places at the same time, and a plurality of remote storage centers are required to be cracked at the same time. Therefore, the scheme is that the disk mirror image is composed of a plurality of blocks, data are dispersed in each mirror image file, and each mirror image file can be stored in different data centers. Therefore, even if one of the 1 data centers is cracked, the mirror image content of the disk cannot be restored. Therefore, the virtual disk file is required to support the block storage, and different storage blocks are placed in different storage positions. The patent aims at enabling a disk image file in a qcow2 format to be stored in different files in blocks, and reading previously stored data from each storage block during operation. Therefore, the data of the virtual machine is stored to different positions, and the purpose of storage safety is achieved.
The invention discloses a Chinese patent of 'a method for creating disk mirror image file encryption snapshot and using and a storage medium' (the patent number is CN 109376119A). The embodiment of the invention discloses a method for creating an encrypted snapshot of a disk image file, a method for using the encrypted snapshot and a storage medium, and belongs to the field of virtualization. The method for creating the disk image file encrypted snapshot comprises the following steps: analyzing the key parameters to generate cipher information of the cipher for the encryption and decryption files; copying the cipher information of the cipher to a source file operation option; opening the source file according to the operation option of the source file; and judging whether the source file is opened successfully, if so, creating a snapshot and setting the encryption information of the snapshot. When the snapshot is operated, the embodiment of the invention can decrypt the source file by using the snapshot key, thereby changing the problem that the keys cannot be simultaneously transmitted to the source file and the snapshot in the existing function and realizing the encryption function and the snapshot function at the same time. The method realizes the creation of the disk image file encrypted snapshot of Qemu Qcow2. This does not improve the security of the encryption, mainly the simultaneous implementation of the encryption and snapshot functions.
The invention discloses a method and a system for protecting private information of a trusted virtual machine vTPM based on tenant identity information (patent number CN 111683052A). The invention discloses a method and a system for protecting private information of a trusted virtual machine vTPM based on tenant identity information, wherein the method comprises the following steps: establishing two non-migratable keys RSA _ local and RSA _ mig of a physical trusted platform module, and generating a corresponding digital Certificate _ mig for the RSA _ mig key; generating and storing identity authentication information on a local host by a cloud tenant; when a trusted virtual machine is created, respectively creating a vTPM tag for a vTPM instance of each virtual machine; acquiring identity authentication information of identity _ info, vTPM labels and tenant _ info, and checking integrity, timeliness, legality and consistency; and similarly, in the running stage and the migration stage of the trusted virtual machine, in the exiting stage, the destroying stage, the suspending stage and the snapshot stage, the integrity, the timeliness, the legality and the consistency of the corresponding fields are checked. The invention can perform safety protection of the whole life cycle of the vTPM based on libtpms software simulation added to the IaaS cloud platform based on the KVM virtualization technology, and prevent the leakage of private information. The patent uses a TPM module to carry out the availability verification, and the disk safety is not protected under the shutdown condition.
Chinese invention patent 'virtual machine data protection system and method' (patent number: CN 103902884A). The patent discloses a virtual machine data protection system and method, and relates to the technical field of cloud computing virtualization data security. The aim of safely accessing the data of the virtual machine is fulfilled by verifying, marking and network controlling the request for accessing the data of the virtual machine in the Domain0 and combining the data behavior and flow direction monitoring in the virtual machine. The problem that under the environment of a multi-tenant virtual machine, due to the fact that service deployed by the virtual machine has a bug or configuration errors and the fact that an application or a kernel of the virtual machine has a bug, the virtual machine is illegally accessed by other out-of-cloud or other virtual machines is solved. This patent is primarily directed to data security at runtime.
The invention patent of China 'a method for safely storing and quickly calling data and a mobile terminal' (patent number: CN 109829324A). The invention discloses a method for safely storing and quickly calling data and a mobile terminal, comprising the following steps: encrypting data which needs to be stored in an open public path by a system; storing the encrypted data under the open public path; decrypting the data under the open public path, storing the decrypted data into a virtual memory, and forming a path after mapping according to a storage address; and modifying the system call interface of which the access path is defaulted to the open public path, and modifying the access path of the system call interface to the mapped path so as to enable the system to call the decrypted data from the virtual memory for use. The invention not only can solve the problem of safe storage of data under the default path of the system, but also can improve the calling speed of the data, avoid the phenomena of system jamming, no response and the like, and well solve the contradiction between the data storage safety problem and the data calling rapidity problem. This patent only addresses encryption of data stored under an open public path.
The invention discloses a Chinese patent of a mobile terminal data safe storage method based on a virtual disk (patent number: CN 109325355A). The invention provides a mobile terminal data safe storage method based on a virtual disk, and belongs to the field of information safety. The working mode of the invention is that firstly, an independent disk partition is created in the hard disk, a file simulation disk partition with fixed size is created, and then the file content is formatted into a self-defined file system, so that the file simulation disk can be simulated into a disk, namely a virtual disk. And finally, by combining a real-time encryption technology and adding an encryption and decryption method in the process of reading and writing the disk, the safety of data can be ensured. The invention customizes an encryption file system for the independent disk partition, constructs encryption and decryption pipelines of plaintext in the memory and ciphertext on the disk, avoids the disk from leaving plaintext traces, and provides transparent data protection. The invention has higher security and flexibility, provides powerful protection for data in the mobile terminal, can customize an encrypted file system and an identity verification mechanism, and can also provide various encryption algorithms and working modes. The encryption mode implemented by this patent is that qemu already supports the encryption of data segments of the disk.
The invention discloses a Chinese patent of 'a differential virtual disk linking method' (patent number: CN 108228108A). The patent discloses a method for linking differential virtual disks, which comprises the following steps: 1) The file format of the differential virtual disk is improved, and recorded path information of the original virtual disk is modified into URL path information which can be accessed through a network from the current absolute path or relative path in the physical machine system; 2) Improving virtual disk drive, reading and writing a differential virtual disk, depending on the virtual disk drive, and accessing an original virtual disk file on a server by the virtual disk drive through an IP network according to network path information recorded by the differential virtual disk; 3) The virtual disk access service comprises a host storing original virtual disk files, a network service providing original virtual disk access, a differential virtual disk host monitoring access requests and an original virtual disk read-write operation according to the requests; the method has the characteristics that the differential virtual disk and the original virtual disk are separately deployed and are accessed across the host, and has the advantages of convenience for rapid deployment and consideration of data safety and access rate. The patent is realized by the characteristic of 'backing file' in a qcow2 format, a certain mirror image is used as a reference disk (the most basic OS file and data are generally installed), other disks needing the base can designate the mirror image as the backing file, the contents written in the following difference can be written into respective virtual disks, if multi-stage backing files are created, data redundancy can be caused by modifying the previous data, and the cost of the partitioned disk space is very high.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a virtual disk safe storage method, which comprises the following steps:
step S1: a qemu-img tool is used for creating a group of blocked virtual disk files, and the blocking information of the virtual disk files is written into the file header of a first virtual disk file;
step S2: starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files;
and step S3: opening a qcow2 virtual disk mirror image at qemu, and establishing block meta information through block information;
and step S4: and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests.
In step S1, a set of blocked virtual disk files is created through the following command lines:
qemu-img create-f qcow 2-d parameter 1 xxxx. Qcow2 parameter 2;
wherein, the parameter 1 is the size of each created virtual disk file, and the parameter 2 is the size of the whole virtual disk mirror image.
In the step S1, an image positioning layer is added to a source code of the qcow2_ co _ create _ opt function, so as to determine an addressing range for each created virtual disk file;
in the step S2, a mirror image positioning layer is added into a source code of a qcow2_ open function, the blocking information in the first virtual disk file is read, and the mirror images of other virtual disk files are found;
in the step S4, a mirror image positioning layer is added to the source code of the qcow2_ co _ preadv and the qcow2_ co _ pwritev functions, so that the virtual disk file of the corresponding virtual disk mirror image is determined when the read-write request is processed.
In step S4, the mirror positioning layer added to the source code of the qcow2_ co _ preadv and qcow2_ co _ pwritev functions includes an offset parameter and a bytes parameter, where the offset parameter is used to determine an offset position of the virtual disk image, and the bytes parameter is used to determine a requested content size.
In step S1, adding a field div _ img _ size to a file header of an image of the first virtual disk file to save the blocking information of the virtual disk file.
In step S1, the blocking information of the virtual disk file is stored in the following directory of the file header of the first virtual disk file: uint64_ t div _ img _ size//.
According to the method for safely storing the virtual disk, provided by the invention, the data is stored in different virtual disk files, and the content of the complete mirror image cannot be recovered under the condition that a part of the mirror image is stolen, so that the safety of the data in the virtual disk mirror image is ensured.
Drawings
FIG. 1: the underlying technology of the present invention contemplates a logic diagram.
FIG. 2: a prior art virtual disk image IO addressing flow chart.
FIG. 3: the invention relates to an IO addressing flow chart based on partitioned qcow2 virtual disk mirror images.
Detailed Description
In order to further understand the technical scheme and the advantages of the present invention, the following detailed description of the technical scheme and the advantages thereof is provided in conjunction with the accompanying drawings.
FIG. 1 is a logic diagram of the basic concept of the present invention: at present, the qcow2 virtual disk image used in most cases is stored in a file, and if the backing file function is used, a gold image may be also used. If information leakage occurs at the place where the virtual disk image file is stored, all data stored in the virtual machine can be easily acquired by a thief. However, if the virtual disk image can be composed of a plurality of files together, and then each blocked image is placed at a different position, it is better than that "eggs are placed in different baskets", and if a thief only takes a part of the image, the content in the complete image cannot be recovered at all. Therefore, the safety of the data in the virtual disk image is improved by storing the virtual disk image to different positions in blocks.
In order to achieve the above object, the following problems need to be solved:
1. how to divide into blocks
In order to avoid increasing the addressing complexity, a blocking strategy can specify the addressable range of each block when a virtual disk image (qemu-img create) is manufactured, the operating range automatically creates the next block image, each block is in a qcow2 format, the storage space occupied by the block is small during creation, and the qcow2 best characteristic is kept as continuous data is written into the image and is slowly expanded.
2. Block storage of memory mirror image is realized by intercepting read-write request of virtual machine at which layer
The mirrored block storage is realized by modifying the source code of qcow2_ co _ create _ opt/qcow2_ open/qcow2_ co _ preadv/qcow2_ co _ pwritev in qcow2.C in the qemu source codes, and adding a mirror positioning layer (to which mirror read and write the read and write request is distributed) into the modified source code.
3. Where blocking information is stored
The partition size is recorded by the div _ img _ size field in the qcow2 header of the first virtual disk file. This also distinguishes who is the first mirror. The next time the switch is opened, the block information is read out.
Aiming at the technical problem to be solved, the invention mainly analyzes from the principle of the qcow2 format, optimizes the codes related to the qcow2 format mirror image in the qemu source codes, and adds mirror image positioning layer codes by modifying a qcow2 series interface method to realize the block storage of the mirror image without influencing the original using interface and habit.
Fig. 2 is a flowchart of a virtual disk image IO addressing process in the prior art, where the qcow2 general addressing process is as follows: and positioning the qcow2_ header to the position of the Level1 table in the virtual disk image, searching the position of the Level2 table corresponding to addressing in the Level1 table, and searching the offset corresponding to the cluster for specifically storing the data.
After the qcow2 block design of the present invention is added, the flow chart is shown in fig. 3, based on which, the secure storage method of the virtual disk of the present invention is formed:
1. creating a partitioned virtual disk image using a qemu-img tool
Assuming that an 80G virtual disk image needs to be blocked into 8 virtual disk files, the following command lines are used: qemu-img create-f qcow 2-d 10g xxxx. Qcow2 80G, which can automatically create a group of blocked virtual disk files according to the specified virtual disk image size, and when creating, an image positioning layer is added into a source code of a qcow2_ co _ create _ opt function to determine an addressing range for each created virtual disk file; the information of the block size, etc. can be written into the file header of the first virtual disk file. Specifically, a field (div _ img _ size) is added at the end of the QCowHeader to save the information of the "block size" in the first virtual disk file.
[0-10G]: xxxx.qcow2
[10-20G]: xxxx.qcow2.div1
[20-30G]: xxxx.qcow2.div2
[30-40G]: xxxx.qcow2.div3
[40-50G]: xxxx.qcow2.div4
[50-60G]: xxxx.qcow2.div5
[60-70G]: xxxx.qcow2.div6
[70-80G]: xxxx.qcow2.div7。
Therefore, the partitioned virtual disk image is already created, and then the virtual machine needs to know that the created virtual disk image is the partitioned virtual disk image, that is, the partition information needs to be read when the virtual machine is started.
2. Starting a virtual machine, designating a first partitioned virtual disk file of a virtual disk image through a qemu-kvm program, reading the size of a partition, finding partitioned images of other virtual disk files, and determining the range of each virtual disk file responsible for storage; specifically, a mirror image positioning layer is added into a source code of the qcow2_ open function, the blocking information in the first virtual disk file is read, and the mirror images of other virtual disk files are found.
3. And opening a qcow2 virtual disk image at qemu, and establishing block meta information through block information. Specifically, after reading the block information of the first virtual disk file, the virtual machine knows the block images of all the virtual disk files, and then enables the program to embody data on the block information through meta information, that is, the block information of the virtual disk image is loaded into a memory after being subjected to data description through the meta information, so as to form a data model, so that the program can be addressed through the meta information, and when performing corresponding read-write operation, the program does not need to repeatedly read the block information from the file header of the first virtual disk file.
At this point, the blocking operation of the virtual disk image is completed, and then the read-write operation for the virtual disk image may be performed.
When reading and writing operations are carried out on the virtual disk mirror image, the file system layer can automatically manage the virtual disk mirror image, the position from which a newly-built file is written is automatically divided, and the program addresses according to the information fed back by the file system layer and finishes reading and writing.
4. Read request operation
When qcow2 of qemu processes a read request, the request is respectively sent to the virtual disk files partitioned by the corresponding virtual disk images according to the partition range for processing. By adding a mirror image positioning layer in a source code of a qcow2_ co _ preadv function, a virtual disk file of a corresponding virtual disk mirror image is ensured to be addressed when a read request is processed, and the method specifically comprises the following steps:
(1) Parameters of the qcow2_ co _ preadv function include offset (virtual disk offset position) and bytes (requested content size), and the request is divided according to the range of the virtual disk file responsible for the virtual disk image block, so that the IO request queue is divided.
(2) And constructing an environment context according to the virtual disk file to be dispatched according to the segmented request.
(3) And dispatching the divided request queue to execute according to the mirror image of the virtual disk file.
5. Write request operation
When the qcow2 of qemu processes the write request, the request is respectively sent to the virtual disk files partitioned by the corresponding virtual disk mirror images according to the partition range to be processed. Adding a mirror image positioning layer in a source code of a qcow2_ co _ pwritev function to realize that a virtual disk file of a corresponding virtual disk mirror image is addressed when a write request is processed, and the method specifically comprises the following steps:
(1) Parameters of the qcow2_ co _ pwritev function include offset (virtual disk offset position) and bytes (content size of the request), and the request is divided according to the range of the virtual disk file responsible for the blocks divided by the virtual disk image, so that the IO request queue is divided.
(2) And constructing an environment context according to the divided virtual disk file to be dispatched according to the request.
(3) And dispatching the divided request queue to execute according to the mirror image of the virtual disk file.
In the invention, the virtual disk file is a storage mode which simulates hard disk equipment by using a file and is used for a virtual machine. The disk of the virtual machine viewed from Host is a file, and the disk of the virtual machine viewed from Guest is not different from a common hard disk.
In the invention, the so-called 'QCOW 2 format' is called as Qemu copy on write format, the Qemu virtual machine dynamically increases the virtual disk mirror image format when the 'write' operation occurs, and the native mirror image format (RAW) has the biggest characteristic that the space is allocated when the data is really needed to be stored, so that the disk space on the Host is saved. The qcow2 mirror format is organized by a number of fixed-size units, called cluster. Both the actual user data (guest data) and the mirrored metadata (metadata) are stored in one cluster unit.
Compared with the prior art, the invention has the advantages that:
1. the invention scatters the previous disk image file into different image files, thereby avoiding the problem that one disk image is stolen and all data in the whole virtual disk can be cracked.
2. The strategy of disk blocking can also have more safety designs, and the safety encryption strategy can be customized according to the use scene without using the blocking strategy in a fixed range.
3. The invention can be realized on the basis of not changing the use interface and the use habit of the original virtual machine, and has good compatibility to the upper layer libvirt and the like.
Although the present invention has been described with reference to the preferred embodiments, it should be understood that various changes and modifications can be made therein by those skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (6)

1. A virtual disk secure storage method is characterized by comprising the following steps:
step S1: a qemu-img tool is used for creating a group of blocked virtual disk files, and the blocking information of the virtual disk files is written into the file header of a first virtual disk file;
step S2: starting a virtual machine, appointing a first virtual disk file of a virtual disk image through a qemu-kvm program, reading the blocking information, and finding out images of other virtual disk files;
and step S3: opening a qcow2 virtual disk mirror image at qemu, and establishing block meta information through block information;
and step S4: and respectively sending the corresponding read-write requests to the virtual disk files of the corresponding virtual disk images for processing according to the range of the blocks of the corresponding read-write requests.
2. The method for virtual disk secure storage according to claim 1, wherein in step S1, a set of blocked virtual disk files is created through the following command lines:
qemu-img create-f qcow 2-d parameter 1 xxxx. Qcow2 parameter 2;
wherein, the parameter 1 is the size of each created virtual disk file, and the parameter 2 is the size of the whole virtual disk mirror image.
3. The secure storage method of a virtual disk according to claim 1, wherein in step S1, an addressing range is determined for each created virtual disk file by adding a mirror image positioning layer to a source code of a qcow2_ co _ create _ opt function;
in the step S2, a mirror image positioning layer is added to the source code of the qcow2_ open function, so as to read the block information in the first virtual disk file and find out the mirror images of other virtual disk files;
in the step S4, a mirror image positioning layer is added to the source code of the qcow2_ co _ preadv and the qcow2_ co _ pwritev functions, so that the virtual disk file of the corresponding virtual disk mirror image is determined when the read-write request is processed.
4. The method for virtual disk secure storage according to claim 3, wherein in step S4, the image location layer added to the source code of the qcow2_ co _ preadv and qcow2_ co _ pwritev functions includes an offset parameter and bytes parameter, wherein the offset parameter is used for determining the offset position of the virtual disk image, and the bytes parameter is used for determining the requested content size.
5. The method for securely storing a virtual disk according to claim 1, wherein in step S1, the block information of the virtual disk file is saved by adding a field div _ img _ size to a file header of the image of the first virtual disk file.
6. The method for securely storing a virtual disk according to claim 5, wherein in step S1, the block information of the virtual disk file is stored in the following directory of the file header of the first virtual disk file: uint64_ t div _ img _ size//.
CN202211068135.2A 2022-09-02 2022-09-02 Virtual disk safe storage method Active CN115146318B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202211068135.2A CN115146318B (en) 2022-09-02 2022-09-02 Virtual disk safe storage method
PCT/CN2022/137630 WO2024045407A1 (en) 2022-09-02 2022-12-08 Virtual disk-based secure storage method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211068135.2A CN115146318B (en) 2022-09-02 2022-09-02 Virtual disk safe storage method

Publications (2)

Publication Number Publication Date
CN115146318A true CN115146318A (en) 2022-10-04
CN115146318B CN115146318B (en) 2022-11-29

Family

ID=83415825

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211068135.2A Active CN115146318B (en) 2022-09-02 2022-09-02 Virtual disk safe storage method

Country Status (2)

Country Link
CN (1) CN115146318B (en)
WO (1) WO2024045407A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115629716A (en) * 2022-12-07 2023-01-20 广东睿江云计算股份有限公司 Defragmentation method and defragmentation system based on disk mirror image file
WO2024045407A1 (en) * 2022-09-02 2024-03-07 麒麟软件有限公司 Virtual disk-based secure storage method

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373441A (en) * 2008-09-19 2009-02-25 苏州壹世通科技有限公司 Virtual platform system based on firmware
CN102891876A (en) * 2011-07-22 2013-01-23 中兴通讯股份有限公司 Method and system for distributed data encryption under cloud computing environment
CN103563278A (en) * 2011-05-20 2014-02-05 西里克斯系统公司 Securing encrypted virtual hard disks
CN109032499A (en) * 2018-06-09 2018-12-18 西安电子科技大学 A kind of data access method of Distributed Storage, information data processing terminal
US20190050247A1 (en) * 2016-01-29 2019-02-14 British Telecommunications Public Limited Company Disk encryption
CN109376119A (en) * 2018-10-30 2019-02-22 郑州云海信息技术有限公司 It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium
CN110058813A (en) * 2019-03-15 2019-07-26 启迪云计算有限公司 It is a kind of that management method is locally stored based on the storage of cloud platform block
US20200026473A1 (en) * 2017-03-31 2020-01-23 Huawei Technologies Co., Ltd. Virtual Disk File Format Conversion Method and Apparatus
CN113641467A (en) * 2021-10-19 2021-11-12 杭州优云科技有限公司 Distributed block storage implementation method of virtual machine
CN113821170A (en) * 2021-08-31 2021-12-21 济南浪潮数据技术有限公司 Distributed storage system, access method and component
CN113961892A (en) * 2021-11-04 2022-01-21 杭州安恒信息技术股份有限公司 Account security control method and system, readable storage medium and computer equipment
CN114201755A (en) * 2021-12-15 2022-03-18 电子科技大学广东电子信息工程研究院 Out-of-domain security detection method for file system of virtual machine
CN114491421A (en) * 2022-01-21 2022-05-13 北京字跳网络技术有限公司 File encryption method, file processing method, file encryption device, file processing device, readable medium and electronic equipment
CN114968128A (en) * 2022-07-28 2022-08-30 云宏信息科技股份有限公司 Qcow 2-based virtual disk mapping method, system and medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103516755B (en) * 2012-06-27 2017-07-14 华为技术有限公司 Virtual memory method and equipment
CN109933278A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 For realizing the method and apparatus of block device carry access
CN115146318B (en) * 2022-09-02 2022-11-29 麒麟软件有限公司 Virtual disk safe storage method

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101373441A (en) * 2008-09-19 2009-02-25 苏州壹世通科技有限公司 Virtual platform system based on firmware
CN103563278A (en) * 2011-05-20 2014-02-05 西里克斯系统公司 Securing encrypted virtual hard disks
CN102891876A (en) * 2011-07-22 2013-01-23 中兴通讯股份有限公司 Method and system for distributed data encryption under cloud computing environment
US20190050247A1 (en) * 2016-01-29 2019-02-14 British Telecommunications Public Limited Company Disk encryption
US20200026473A1 (en) * 2017-03-31 2020-01-23 Huawei Technologies Co., Ltd. Virtual Disk File Format Conversion Method and Apparatus
CN109032499A (en) * 2018-06-09 2018-12-18 西安电子科技大学 A kind of data access method of Distributed Storage, information data processing terminal
CN109376119A (en) * 2018-10-30 2019-02-22 郑州云海信息技术有限公司 It is a kind of to create disk mirroring file encryption snapshot, the method used and storage medium
CN110058813A (en) * 2019-03-15 2019-07-26 启迪云计算有限公司 It is a kind of that management method is locally stored based on the storage of cloud platform block
CN113821170A (en) * 2021-08-31 2021-12-21 济南浪潮数据技术有限公司 Distributed storage system, access method and component
CN113641467A (en) * 2021-10-19 2021-11-12 杭州优云科技有限公司 Distributed block storage implementation method of virtual machine
CN113961892A (en) * 2021-11-04 2022-01-21 杭州安恒信息技术股份有限公司 Account security control method and system, readable storage medium and computer equipment
CN114201755A (en) * 2021-12-15 2022-03-18 电子科技大学广东电子信息工程研究院 Out-of-domain security detection method for file system of virtual machine
CN114491421A (en) * 2022-01-21 2022-05-13 北京字跳网络技术有限公司 File encryption method, file processing method, file encryption device, file processing device, readable medium and electronic equipment
CN114968128A (en) * 2022-07-28 2022-08-30 云宏信息科技股份有限公司 Qcow 2-based virtual disk mapping method, system and medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
曹瑛: "数据库服务器(SQL SERVER)安全机制与磁盘镜像的初探", 《航空精密制造技术》 *
罗爱玲等: "VMware服务器虚拟化在企业管理中的应用", 《科技创新与应用》 *
陈春媛: "基于qcow2镜像格式的快照技术", 《信息与电脑(理论版)》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024045407A1 (en) * 2022-09-02 2024-03-07 麒麟软件有限公司 Virtual disk-based secure storage method
CN115629716A (en) * 2022-12-07 2023-01-20 广东睿江云计算股份有限公司 Defragmentation method and defragmentation system based on disk mirror image file
CN115629716B (en) * 2022-12-07 2023-04-11 广东睿江云计算股份有限公司 Defragmentation method and defragmentation system based on disk mirror image file

Also Published As

Publication number Publication date
WO2024045407A1 (en) 2024-03-07
CN115146318B (en) 2022-11-29

Similar Documents

Publication Publication Date Title
CN115146318B (en) Virtual disk safe storage method
US12052356B2 (en) Method and apparatus for data storage and verification
CN109800050B (en) Memory management method, device, related equipment and system of virtual machine
KR100737628B1 (en) Attestation using both fixed token and portable token
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
CN100378689C (en) Enciphered protection and read write control method for computer data
US20060174352A1 (en) Method and apparatus for providing versatile services on storage devices
KR950029930A (en) Method and device for securing file access
CN109508224B (en) User data isolation protection system and method based on KVM
WO2011137743A1 (en) File protection method and system
JP2005527019A (en) Multi-token seal and seal release
CN107526974B (en) Information password protection device and method
JP2004510367A (en) Protection by data chunk address as encryption key
JPH10312335A (en) Data processing method and processor therefor
CN110569651A (en) file transparent encryption and decryption method and system based on domestic operating system
WO2023010834A1 (en) Method and apparatus for starting embedded linux system, and storage medium
CN115758420B (en) File access control method, device, equipment and medium
CN106682521A (en) File transparent encryption and decryption system and method based on driver layer
CN113342473A (en) Data processing method, migration method of secure virtual machine, related device and architecture
CN109376119B (en) Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium
CN101447009A (en) Method, device and system for installing software
CN101447013A (en) Method, device and system for running software
KR100948386B1 (en) Apparatus and method for saving original data in computer system
CN111190695A (en) Virtual machine protection method and device based on Roc chip
CN110134339A (en) A kind of data guard method and system based on file virtual disk

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant